Live CD Class Project
Security Controls NIST SP 800-30 Essay
The NIST SP 800-30 is a guide that provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. Once an organization uses risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. In implementing recommended controls to mitigate risk, an organization should consider technical, management, and operational security controls, or a combination of such controls, to maximize the effectiveness of controls for their IT systems and organization.
Technical controls can be grouped into the following major categories, according to primary purpose: Support, Prevent, and Detect and Recover. Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls. Supporting controls are, by their very nature, pervasive and interrelated with many other controls. They are identification, cryptographic key management, security administration, and system protections. Preventive controls focus on preventing security breaches from occurring in the first place. These controls which can inhibit attempts to violate security policy include the following: authentication, authorization, access control enforcement, non-repudiation, protected communications, and transaction privacy. Detect and Recover controls focus on detecting and recovering from a security breach. They are needed as a complement to the supporting and preventive technical measures, because none of the measures in these other areas is perfect. Detection and recovery controls include audit trails, intrusion detection and containment, proof of wholeness (checksums), restore secure state, and virus detection and eradication.
Management security controls are used to manage and reduce the risk of loss. Its focus is on information protection policy, guidelines, and standards. Management security controls are preventive, detection, and recovery. Preventive controls assign security responsibility, develop and maintain system security plans to document current controls and address planned controls for IT systems. They also implement personnel security controls and conduct security awareness and technical training. Detection controls implement personnel security controls e.g. background checks and rotation of duties. They also conduct periodic review of security controls, perform periodic system audits, conduct ongoing risk management to assess and mitigate risk and authorize IT systems to address and accept residual risk. Recovery controls provide continuity of support and develop, test, and maintain the continuity of operations plan for disaster recovery. They also establish an incident response capability to prepare for, recognize, report, and respond to the incident and return the IT system to operational status.
Operational controls include preventive and detection controls that when implemented in conjunction with technical and management controls and good industry practices are used to correct operational deficiencies that could be exploited by a hacker. To ensure consistency in security operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained. Preventive operational controls includes controlling data media access and disposal, limiting external data distribution, controlling software viruses, safeguarding computing facility (e.g., security guards, e-badge system, biometrics), securing wiring closets, providing backup capability, establishing off-site storage procedures and security, protecting laptops, personal computers, workstations. They also include protecting IT assets from fire damage, providing emergency power source, and controlling humidity and temperature of the computing facility. Detection operational controls include providing physical security (e.g. motion detectors, cc cameras, sensors and alarms) and ensuring environmental security (e.g. smoke detectors, sensors and alarms).
Live CD Expository Essay
Live CD’s are operating systems stored on a variety of portable media such as a CD, DVD, USB flash drive and others. Once the BIOS on a pc is configured to startup to the particular media you install you can then boot and start the operating system from that media just as you would on regular hard drive setup. The live CD is then loaded into memory and your hard drive is left untouched. While the live CD can mount data devices to read and write to them they are not used in the boot process. There are several reasons why live CD’s are in existence today as you will find out in the following paragraphs. One of the main reasons involves the ability to boot up to an OS without the need of a hard drive.
The most obvious reason why live CD’s work is that technology has evolved and compatibility issues surrounding hardware have been addressed to the extent that plug and play hardware is literally plug and play with any OS as long as you have the right drivers on the live CD your using. Another reason is that the cost to create media to boot to a live CD is significantly cheaper than it was several years ago. Also most open source live CD’s are completely free however there are some proprietary versions. From a business point a view you can use and make copies of as many live CD’s as you want and not have to pay a license agreement. Even though you’ll still have to pay for OS’s that will have to be repaid to upgrade in the future. OS’s that may be full of security holes that only get updated once a month. Open source live CD’s can help alleviate expenses by reducing the licensing budget in the organization.
Live CD’s are currently being created to provide a basic operating system. Then developers create different types of distributions. Distributions also known as distros take the original live CD OS and combine or bundle it with applications that will enable the user to get the most out of that particular distro. For example the popular live CD version of Knoppix was re-mastered and distributed under the new name of Knoppix STD (security tools distribution) which comes with an assortment of security tools involving cryptography, forensics, vulnerability scans, packet sniffs, and others. As a result a security consultant can recover passwords, recover files to a remote location, find an intruder, communicate securely and privately, recover from mal-ware attacks, connect to a remote computer and so many other things all with only a live CD. This opens up whole new topic of interest in the ever evolving IT security industry. Live CD’s create a major vulnerability in organizations since having only physical proximity to vital computer systems can render all other forms of security useless.
Other distribution categories can include astronomy, bioinformatics, development, diagnostics, education, forensics, gaming, home entertainment, medical, media production, robotics, science, system administration, and of course security. From an education perspective having the ability to try out a Linux distro before you install a permanent version of Linux for example is a great way to narrow down your selection. For example Debian is a full version OS derived from Linux. If you wanted to preview Debian you could download Knoppix, the live CD version of Debian. For novices it’s easy just to download and boot up any Linux distro and begin to learn it without ever having to go through complicated installations.
Live CD Distribution Essay
There are currently around 300 live CD distributions available. Most live CDs contain a system based on the GNU system and the Linux kernel, but there are also live CDs based on other operating systems, such as Mac OS, Mac OS X, BeOS, FreeBSD, Minix, NetBSD, Plan 9, MSDOS, and Microsoft Windows. Although live CD’s have come a long way since the first, the Mac OS 7 on a CD in 1991 the field still seems like its coming along because of all the available distros. Once this field finally matures the ability to distinguish between each of their uses should come easier. As in most cases the Live CDs that prove to be most useful will usually end up being the more popular ones and as a result will be the ones that turn corporate if not already.
Once an architecture for a Live CD is chosen deciding on a distribution can be up to the purpose and hence the bundled programs that along with that distro. Categories can range from and include the following: astronomy, bioinformatics, development, diagnostics, education, forensics, gaming, home entertainment, medical, media production, robotics, science, system administration, and security. Distributions can be differentiated by looking at the unique set programs that each contains. For example some development distributions have more coding and debugging applications than say a system administration live CD.
Update frequency is also an important differentiating factor. If a live CD only gets updated once a year then its not getting the necessary updates needed to create a stable OS. The more updates or new version being release usually means that the network around that project is large enough to sustain and reiteratively improve the live CD’s level of stability, reliability and available support. The following will compare and contrast four types of Linux distros: WHAX, Knoppix STD, SLAX, and INSERT.
WHAX formerly Whoppix was created in Israel and is a stand alone penetration testing live CD based on Slax. It is meant to be used by penetration testers and security auditors. It is consistently updated between every 3 to 4 months which keeps the OS current with the latest tools and exploits. It provides several exploit archives including Security focus, Packet storm, Security Forest, and Milw0rm. WHAX updates its software using .mo modules which are simply placed in a directory on the CD while re-mastering and then they are detected during at bootup. WHAX is based on Slax which has a tool called myslax creator where you can quickly add or remove .mo modules when re-mastering an .iso CD image.
Knoppix STD (security tools distribution) was made in the USA and focuses on IT security and network management tools. It was created for both the novice and professional as a Swiss army knife security toolkit. The tools are divided into the following categories: authentication, encryption utilities, firewalls, penetration tools, vulnerability assessment, forensic tools, honeypots, intrusion detection, packet sniffers and assemblers, network utilities, wireless tools, password auditing (crackers) and servers. The only big problem with this distro is that it doesn’t get updated frequently.
SLAX was created in the Czech Republic and is a live CD version of Slackware which is currently gaining momentum for its ability to easily re-master the distro. SLAX is intended to replace your current OS and doesn’t really have a narrow range of purpose for all the programs it provides. It is more of a generic desktop operating system. INSERT (Inside Security Rescue Toolkit) was made in Germany and is only 60mb small. INSERT aims to be a multi-functional, multi-purpose disaster recovery and network analysis system. A provides an essential set of tools small enough to carry on your thumb drive along with all your other data. You can run INSERT from the USB by first creating a live CD version then using a program in INSERT to install it on the USB drive.
A Specific Control Essay
The NIST SP 800-30 guide explains that in order to mitigate risk, an organization should consider technical, management, and operation security controls to maximize the effectiveness of controls for their IT systems and organization. I will be taking on technical controls more in depth which focus more on the software and data side of things which can be more easily demonstrated. The following paragraphs will expand on the significance of technical controls and how a live CD may contribute to its implementation.
Technical controls can be grouped into three major categories: Support, Prevent, and Detect and Recover. Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls. Supporting controls are, by their very nature, pervasive and interrelated with many other controls. Supporting controls include identification, cryptographic key management, security administration, and system protections. Preventive controls focus on preventing security breaches from occurring in the first place. These controls which can inhibit attempts to violate security policy include the following: authentication, authorization, access control enforcement, non-repudiation, protected communications, and transaction privacy. Detect and Recover controls focus on detecting and recovering from a security breach. They are needed as a complement to the supporting and preventive technical measures, because none of the measures in these other areas is perfect. Detection and recovery controls include audit trails, intrusion detection and containment, proof of wholeness (checksums), restore secure state, and virus detection and eradication.
A live CD could be used to implement many of the technical controls mentioned above. Take a for example security administration which fall under the supportive category of the technical controls, can be easily done from any computer on your network with a Knoppix STD live CD. Within in seconds a live CD could place a temporary firewall and proxy, scan for vulnerabilities and malware, analyze network traffic and within minutes have all the information needed to perk up security which falls into the preventive category of the technical controls. Security tools like nmap, netcat, and dsniff readily available among live CD’s can facilitate penetration testing to see how well supporting and preventive controls are in place when time is not an issue. With live CD’s working in unsecured conditions is a thing of the past. You can easily mange cryptographic keys and authenticate files with an MD5 hash calculator. Preventive controls can be implemented with a live CD by using SSH to protect communications using encryption and thereby ensuring transaction privacy and non repudiation.
Detection and recovery controls are well implemented with live CD’s as well. Using a partition tool in a live CD can help clone an entire partition to an image file. That image file could then be run through a hash calculator. The hash could be stored along with the image file to ensure proof of wholeness for future forensic purposes. Malware scanners can easily search and eradicate rootkit’s, viruses, trojans, worms and spyware. Recovery control programs in live CD’s can recover entire partitions or just some files that may have been removed by a virus. If an administrator forgets his password and no other method of getting it back is possible he can boot up a copy of INSERT and use NT Hash, a program that can easily find and retrieve the hash of a windows user password which could later be used to recover the actual password with Lophtcrack.
A Specific CD or USB Essay
Technical controls can be grouped into three major categories: Support, Prevent, and Detect and Recover. With the exception of preventive controls both supportive and detect and recover controls can be easily implemented with a live CD. Using INSERT a live CD distribution (Inside Security Recovery Toolkit), a system administrator has the tools they need to save the day from the comfort of their pocket. INSERT was created by students at the University of Stuttgart who later formed Inside Security an IT security consulting company based in Stuttgart, Germany. The following paragraphs will expand on INSERT and explain why I think this distribution can facilitate in implementing some technical controls specifically those involving detecting and recovering.
INSERT was created with the concept of DSL (dam small linux) which was the first 50mb live CD distribution. INSERT is largely based on Knoppix which is Debian which is based on GNU Linux. INSERT is not updated frequently but emerging concepts take time to develop. The concepts at hand are those of size and portability. As mentioned INSERT has the ability to fit anywhere from your wallet on a mini CD to your key chain on a USB drive. Nicely imaged on an ISO of only 60mb, anyone can install it on their spare USB drive. Also thanks to a recent discovery the ability to read and write to an NTFS partition from a 60mb live CD distro is now possible. The ability to place INSERT on a USB drive also improves boot speed and access time once in the GUI.
INSERT can facilitate the implementation of technical controls in several ways. The following disaster recovery partition tools: gparted, gpart, partimage and testdisk can recover an entire partition or simply a file that may have been deleted by a virus. Some of these programs can also clone an entire partition to an image file. That image file could then be run through a hash calculator and that hash could be stored along with that file to ensure proof of wholeness for future forensic purposes. Other forensic tools INSERT provides are chkrootkit, foremost, and rootkit hunter. INSERT can also scan and remove viruses with Clam, an open source antivirus GUI program. Fresh Clam is also included which provides the ability to update Clam’s database of malware signatures.
Another major feature included is that of chntpw, an NT SAM password recovery utility. INSERT also offers the ability use the smbfs client to connect to windows networks. It also has a program that creates network boot floppies to boot from an INSERT server if the computer doesn't have a CD-ROM or USB drive. The full version of the Ultimate Boot CD, a huge collection of bootable floppy images for all kinds of system management tasks comes bundled with INSERT. A full list of all of its programs is available at http://www.inside-security.de/applicationlist.html.